Oauth v2 PKCE Flow

[evankalaw]

Hi there,

This might be a goofy question, but I'm curious - I'm trying to use the Oauth V2 PKCE flow per the documentation to get a user context and just call Client.get_me().

I can't seem to get the flow to work, and was curious, particularly about this part in the documentation from here:

This can be used to have a user authenticate your app. Once they’ve done so, they’ll be redirected to the Callback / Redirect URI / URL you provided. You’ll need to pass that authorization response URL to fetch the access token:

After landing in the callback, we need to provide the "authorization response url" to fetch_token for an instantiated Oauth2UserHandler to get an access token. What exactly is that?

I assumed that this is the callback url with the appropriate query string (includes state and code), but I'm getting this error:

oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: (invalid_request) Missing required parameter [code_verifier].

Thanks for any help you can give me.

[Harmon758]

I assumed that this is the callback url with the appropriate query string (includes state and code)

It is.

Are you using the same instance of OAuth2UserHandler? The code verifier should be created and set in OAuth2UserHandler.get_authorization_url.

[Harmon758]

I mean specifically. It's flask.session?

[evankalaw]

Correct, it is flask.session, my bad

[Harmon758]

I believe flask.session is client-side and uses cookies. It's likely not able to serialize and un-serialize a complex object like OAuth2UserHandler properly.

[evankalaw]

I'm back!

I have a few questions for you as I've done some more digging.

• You were correct, using sessions seems to not be serializing and un-serializing the OAuth2UserHandler properly. I've found a work around for that, but I have a few more supplementary questions.

All in all, my final issues that I'm running into are as follows:

I seem to be able to generate a token properly (this one is expired, so I don't mind sharing the contents of a print statement):

access_token {'token_type': 'bearer', 'expires_in': 7200, 'access_token': 'd19FRE5hLXBwTHNfWnlaZ2ZKMmxLUlpBT0pUc01GYV8tQVFraDZ2aGdWeWlaOjE2NDY3ODM5ODg5NzI6MToxOmF0OjE', 'scope': ['users.read', 'tweet.read'], 'expires_at': 1646791189.0388649}

I assume that this means that I'm generating the token properly from the authorization response url and the OAuth2UserHandler, and after further reading in the documentation / experimenting I found that because I'm using the OAuth2 PKCE Flow I need to pass "user_auth=false" into get_me(), e.g. client.get_me(user_auth=false) after initializing the client, because the default for get_me is to use the OAuth 1.1 user context as user_auth's default is set to true in get_me() inside of tweepy/tweepy/client.py.

When I use the Auth token above, to initialize the client per the documentation, doing both client = tweepy.Client(access_token["access_token"]) (this seems to be what I want to do), or client = tweepy.Client(access_token), I am still getting a 403:

ERROR:__main__:Caught exception - 403 Forbidden
Traceback (most recent call last):
  File "/Library/Caches/pypoetry/virtualenvs/appserv-XG89P1st-py3.9/lib/python3.9/site-packages/flask/app.py", line 1516, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Library/Caches/pypoetry/virtualenvs/appserv-XG89P1st-py3.9/lib/python3.9/site-packages/flask/app.py", line 1502, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/Library/Caches/pypoetry/virtualenvs/appserv-XG89P1st-py3.9/lib/python3.9/site-packages/webargs/core.py", line 452, in wrapper
    return func(*args, **kwargs)
  File "path", line 93, in twitter_callback_v2
    print(client.get_me(user_auth=False))
  File "/Library/Caches/pypoetry/virtualenvs/appserv-XG89P1st-py3.9/lib/python3.9/site-packages/tweepy/client.py", line 1910, in get_me
    return self._make_request(
  File "/Library/Caches/pypoetry/virtualenvs/appserv-XG89P1st-py3.9/lib/python3.9/site-packages/tweepy/client.py", line 118, in _make_request
    response = self.request(method, route, params=request_params,
  File "/Library/Caches/pypoetry/virtualenvs/appserv-XG89P1st-py3.9/lib/python3.9/site-packages/tweepy/client.py", line 92, in request
    raise Forbidden(response)
tweepy.errors.Forbidden: 403 Forbidden

Am I using the wrong thing to initialize the client I'm using to make these API calls?

I seem to be using the proper scopes in my definition of the OAuth2UserHandler as well, being 'users.read', 'tweet.read' according to the Twitter documentation for this endpoint (which was my initial concern) but they seem to be correct.

The relevant code for this section is the following

@app.route("/callback")
@use_args(
    {
        "state": fields.Str(),
        "code": fields.Str(),
    },
    location="query",
)
def twitter_callback(args):
    state = args.get("state")
    code = args.get("code")

    access_token = oauth2_user_handler.fetch_token(
        f"http://localhost:5000/callback/v2?state={state}&code={code}"
    )

    client = tweepy.Client(access_token["access_token"])

    print(client.get_me(user_auth=False))

Thanks so much for your correspondence, I'd love your input if possible.

[Harmon758]

That should work, and I'm unable to reproduce this:

>>> access_token = oauth2_user_handler.fetch_token("Redacted")
>>> client = tweepy.Client(access_token["access_token"])
>>> client.get_me(user_auth=False)
Response(data=<User id=1072250532645998596 name=Tweepy Testing username=TweepyDev>, includes={}, errors=[], meta={})